The Simple WP Events plugin for WordPress permits an attacker to retrieve sensitive data that is embedded in outgoing traffic. When the plugin handles or transmits event information, it fails to remove confidential values, allowing them to be exposed. This flaw can compromise the confidentiality of user details, event metadata, or site configuration data by letting an unauthenticated user read information that the site owner intended to keep private.

All releases of the WPMinds Simple WP Events plugin up through version 1.8.17 are affected. Any WordPress site that has this plugin installed with a version ≤ 1.8.17 may be susceptible.

The CVSS score of 7.5 indicates a high‑severity problem, while the EPSS score of <1% and absence from the CISA KEV catalog suggest that widespread exploitation is currently unlikely. The weakness can be exercised via normal HTTP requests to the plugin’s data handling endpoints, meaning the attack vector is remote and a local server compromise is not required. If successfully leveraged, an attacker can read and exfiltrate sensitive data exposed by the plugin, affecting confidentiality and potentially leading to broader disclosure of site or user information.